PREMIUM PESCAN.IO - Analysis Report |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 9,33 MBSHA-256 Hash: 736518A4DFB232A3DF6B08E2C715B44A04407ADAB1A97D62AE22A1F2B9F8EFDF SHA-1 Hash: 62208CCCFD5B56A765E7B9E8C0B0FC48E5B7C19E MD5 Hash: F0F9CA51F6186284337C838DEB651C9F Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 00000000 EntryPoint (rva): 94B0AE SizeOfHeaders: 200 SizeOfImage: 95A000 ImageBase: 400000 Architecture: x86 ImportTable: 94B060 IAT: 2000 Characteristics: 12E TimeDateStamp: 8FED88C6 Date: 09/07/2046 0:28:54 File Type: EXE Number Of Sections: 3 ASLR: Disabled Section Names: .text, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: requireAdministrator |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
200 | 949200 | 2000 | 9490B4 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
949400 | AE00 | 94C000 | AD30 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
954200 | 200 | 958000 | C |
|
|
| Description |
| OriginalFilename: VGeko.exe LegalCopyright: Copyright 2023 ProductName: Geko APP FileVersion: 1.0.0.0 FileDescription: Geko APP ProductVersion: 1.0.0.0 Language: Unknown (ID=0x0) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 9492AE Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Assembler |JMP DWORD PTR [0X402000] |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |ADD BYTE PTR [EAX], AL |
| Signatures |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual .NET - (You can use a decompiler for this...) • AnyCPU: True • Version: v4.0 Compiler: Microsoft Visual Studio Detect It Easy (die) • PE: Protector: Eziriz .NET Reactor(6.x.x.x)[By Dr.FarFar] • PE: library: .NET(v4.0.30319)[-] • PE: linker: Microsoft Linker(48.0)[-] • Entropy: 7.9942 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| File Access |
| VGeko.exe mscoree.dll kernel32.dll user32.dll vgeko.dll Temp |
| File Access (UNICODE) |
| VGeko.exe 32.dll |
| Interest's Words |
| Encrypt Decrypt PassWord <button exec attrib start cipher shutdown systeminfo replace |
| URLs |
| http://schemas.microsoft.com/SMI/2024/WindowsSettings http://schemas.microsoft.com/SMI/2005/WindowsSettings http://schemas.microsoft.com/SMI/2016/WindowsSettings |
| IP Addresses |
| 17.0.0.0 17.5.0.0 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (send) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | Encryption (AesCryptoServiceProvider) |
| Text | Unicode | Encryption (AesCryptoServiceProvider) |
| Text | Ascii | Encryption (CipherMode) |
| Text | Ascii | Encryption (CreateDecryptor) |
| Text | Ascii | Encryption (CryptoStream) |
| Text | Ascii | Encryption (CryptoStreamMode) |
| Text | Ascii | Encryption (FromBase64String) |
| Text | Ascii | Encryption (ICryptoTransform) |
| Text | Ascii | Encryption (MD5CryptoServiceProvider) |
| Text | Ascii | Encryption (Rijndael) |
| Text | Ascii | Encryption (RijndaelManaged) |
| Text | Ascii | Encryption (SHA1CryptoServiceProvider) |
| Text | Ascii | Encryption (ToBase64String) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Keyboard Key (Scroll) |
| Text | Ascii | Information used for user authentication (Credential) |
| Text | Ascii | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Entry Point | Hex Pattern | Microsoft Visual C / Basic .NET |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8.0 |
| Entry Point | Hex Pattern | Microsoft Visual C v7.0 / Basic .NET |
| Entry Point | Hex Pattern | Microsoft Visual Studio .NET |
| Entry Point | Hex Pattern | .NET executable |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\0 | 94C130 | A2A8 | 949530 | 2800000064000000C80000000100200000000000409C0000871D0000871D00000000000000000000FDFDFDFFFDFDFDFFFDFD | (...d......... .....@............................. |
| \GROUP_ICON\32512\0 | 9563D8 | 14 | 9537D8 | 0000010001006464000001002000A8A200000100 | ......dd.... ....... |
| \VERSION\1\0 | 9563EC | 30C | 9537EC | 0C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\0 | 9566F8 | 638 | 953AF8 | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D227574662D38223F3E0D0A3C617373656D62 | ...<?xml version="1.0" encoding="utf-8"?>..<assemb |
| Intelligent String |
| • 1.0.0.0 • VGeko.exe • 32.dll • 'VGeko.GrpcClient+<getLoginAccount>d__12 • .LjB • VGeko.pdb • _CorExeMainmscoree.dll • <windowsSettings xmlns="http://schemas.microsoft.com/SMI/2024/WindowsSettings"> • <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware> • <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> • <supportedArchitectures xmlns="http://schemas.microsoft.com/SMI/2024/WindowsSettings">amd64 arm64</supportedArchitectures> |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 209C6 | 7D0037 | .text | JMP [static] | Indirect jump to absolute memory address |
| 53EFF | 7D0037 | .text | JMP [static] | Indirect jump to absolute memory address |
| 5423E | 6C3CE294 | .text | JMP [static] | Indirect jump to absolute memory address |
| 56227 | 90A2C84 | .text | CALL [static] | Indirect call to absolute memory address |
| 567CA | 90A2C84 | .text | CALL [static] | Indirect call to absolute memory address |
| 67B22 | 7C6846D | .text | JMP [static] | Indirect jump to absolute memory address |
| 6A680 | 36C4C9A1 | .text | CALL [static] | Indirect call to absolute memory address |
| 6B134 | 3C30398D | .text | CALL [static] | Indirect call to absolute memory address |
| 77A38 | 3C30398D | .text | JMP [static] | Indirect jump to absolute memory address |
| 93E75 | 49D3E265 | .text | CALL [static] | Indirect call to absolute memory address |
| 99CE7 | 4D33D7D2 | .text | JMP [static] | Indirect jump to absolute memory address |
| A8E86 | 17C3FEDA | .text | CALL [static] | Indirect call to absolute memory address |
| A979B | 17C3FEDA | .text | CALL [static] | Indirect call to absolute memory address |
| ACE82 | 5C4BD087 | .text | CALL [static] | Indirect call to absolute memory address |
| B10E7 | 5286537B | .text | CALL [static] | Indirect call to absolute memory address |
| B131F | 5286537B | .text | CALL [static] | Indirect call to absolute memory address |
| B847D | 5286537B | .text | JMP [static] | Indirect jump to absolute memory address |
| C65CC | 4E52C63B | .text | CALL [static] | Indirect call to absolute memory address |
| C7C7C | 4E52C63B | .text | JMP [static] | Indirect jump to absolute memory address |
| CE164 | 4E52C63B | .text | JMP [static] | Indirect jump to absolute memory address |
| D047C | 4E52C63B | .text | JMP [static] | Indirect jump to absolute memory address |
| D89A5 | F6843FE | .text | JMP [static] | Indirect jump to absolute memory address |
| D92DF | 646400C2 | .text | CALL [static] | Indirect call to absolute memory address |
| F6AF3 | 321DC4E8 | .text | JMP [static] | Indirect jump to absolute memory address |
| F9382 | 321DC4E8 | .text | CALL [static] | Indirect call to absolute memory address |
| 105E29 | E3FFA17 | .text | JMP [static] | Indirect jump to absolute memory address |
| 108577 | CD3C894 | .text | JMP [static] | Indirect jump to absolute memory address |
| 10E787 | CD3C894 | .text | JMP [static] | Indirect jump to absolute memory address |
| 11086E | CD3C894 | .text | CALL [static] | Indirect call to absolute memory address |
| 11455E | FBF169F | .text | CALL [static] | Indirect call to absolute memory address |
| 1157D0 | FBF169F | .text | CALL [static] | Indirect call to absolute memory address |
| 12A283 | 3AD0790D | .text | JMP [static] | Indirect jump to absolute memory address |
| 12A98C | 38834595 | .text | CALL [static] | Indirect call to absolute memory address |
| 13C263 | 6C29FB47 | .text | JMP [static] | Indirect jump to absolute memory address |
| 13E860 | 6C29FB47 | .text | JMP [static] | Indirect jump to absolute memory address |
| 14167B | 13BAE3E5 | .text | CALL [static] | Indirect call to absolute memory address |
| 142130 | 13BAE3E5 | .text | JMP [static] | Indirect jump to absolute memory address |
| 148ADE | 7FD75D1C | .text | CALL [static] | Indirect call to absolute memory address |
| 14BCDE | 7FD75D1C | .text | CALL [static] | Indirect call to absolute memory address |
| 14FDA0 | E110102 | .text | CALL [static] | Indirect call to absolute memory address |
| 16AD4F | 156588E4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 170CA2 | 5A5F32AE | .text | JMP [static] | Indirect jump to absolute memory address |
| 17A2E5 | 5A5F32AE | .text | JMP [static] | Indirect jump to absolute memory address |
| 17F326 | 4FC4B257 | .text | CALL [static] | Indirect call to absolute memory address |
| 18658A | 78D970DA | .text | JMP [static] | Indirect jump to absolute memory address |
| 18CF69 | 259A1CB5 | .text | CALL [static] | Indirect call to absolute memory address |
| 1931BA | 4279976F | .text | CALL [static] | Indirect call to absolute memory address |
| 19CFAC | 4279976F | .text | CALL [static] | Indirect call to absolute memory address |
| 1A169D | 6ED5B57 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A936B | 6ED5B57 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B7BF3 | 6ED5B57 | .text | CALL [static] | Indirect call to absolute memory address |
| 1CDD44 | 6ED5B57 | .text | CALL [static] | Indirect call to absolute memory address |
| 1DC9E4 | 57A3B308 | .text | CALL [static] | Indirect call to absolute memory address |
| 1EF107 | A113864 | .text | CALL [static] | Indirect call to absolute memory address |
| 1F6772 | 2C8D9A3E | .text | JMP [static] | Indirect jump to absolute memory address |
| 2062F1 | 5046CA0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 20A49C | 4D40448C | .text | JMP [static] | Indirect jump to absolute memory address |
| 20D95D | 4D40448C | .text | CALL [static] | Indirect call to absolute memory address |
| 215B06 | 4D40448C | .text | JMP [static] | Indirect jump to absolute memory address |
| 21926D | 2F19A8DF | .text | CALL [static] | Indirect call to absolute memory address |
| 21B5AB | 2F19A8DF | .text | JMP [static] | Indirect jump to absolute memory address |
| 2253F5 | 2F19A8DF | .text | CALL [static] | Indirect call to absolute memory address |
| 22B978 | 25C0A827 | .text | CALL [static] | Indirect call to absolute memory address |
| 237C8D | 6FD7472B | .text | CALL [static] | Indirect call to absolute memory address |
| 23AC9A | 74842B38 | .text | CALL [static] | Indirect call to absolute memory address |
| 23E21D | 41990DB4 | .text | CALL [static] | Indirect call to absolute memory address |
| 240CC6 | 83C8676 | .text | CALL [static] | Indirect call to absolute memory address |
| 241FD8 | 6A792C2 | .text | CALL [static] | Indirect call to absolute memory address |
| 256E31 | 1AAADDD7 | .text | CALL [static] | Indirect call to absolute memory address |
| 25C208 | 3D01DBF | .text | CALL [static] | Indirect call to absolute memory address |
| 26A685 | 3D01DBF | .text | JMP [static] | Indirect jump to absolute memory address |
| 278A47 | 66F6B852 | .text | JMP [static] | Indirect jump to absolute memory address |
| 27E06C | 34DEB937 | .text | CALL [static] | Indirect call to absolute memory address |
| 27FDAB | 44B17D90 | .text | CALL [static] | Indirect call to absolute memory address |
| 28279C | 44B17D90 | .text | JMP [static] | Indirect jump to absolute memory address |
| 285FBA | 44B17D90 | .text | JMP [static] | Indirect jump to absolute memory address |
| 28943C | 44B17D90 | .text | CALL [static] | Indirect call to absolute memory address |
| 290039 | 452F0599 | .text | JMP [static] | Indirect jump to absolute memory address |
| 29EAC6 | 452F0599 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2A0DCD | 45E1F663 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2A448B | 1BCD0538 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2ABE6C | 4D0B3F4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2B51F9 | 4F615DF0 | .text | JMP [static] | Indirect jump to absolute memory address |
| 2C4227 | 5330360D | .text | JMP [static] | Indirect jump to absolute memory address |
| 2D4F25 | 5330360D | .text | JMP [static] | Indirect jump to absolute memory address |
| 2F5121 | F04404 | .text | JMP [static] | Indirect jump to absolute memory address |
| 318CCD | 1A08FADF | .text | CALL [static] | Indirect call to absolute memory address |
| 3200E7 | 1A08FADF | .text | JMP [static] | Indirect jump to absolute memory address |
| 320B66 | 5FFBF994 | .text | CALL [static] | Indirect call to absolute memory address |
| 327F41 | 5FFBF994 | .text | CALL [static] | Indirect call to absolute memory address |
| 32A84D | 3767E3C7 | .text | CALL [static] | Indirect call to absolute memory address |
| 32EA17 | 79F25F4B | .text | JMP [static] | Indirect jump to absolute memory address |
| 3319F1 | 79F25F4B | .text | JMP [static] | Indirect jump to absolute memory address |
| 348C2C | 3C84A49B | .text | CALL [static] | Indirect call to absolute memory address |
| 3715FB | 3C84A49B | .text | JMP [static] | Indirect jump to absolute memory address |
| 3723AD | 3C84A49B | .text | CALL [static] | Indirect call to absolute memory address |
| 375097 | 3C84A49B | .text | JMP [static] | Indirect jump to absolute memory address |
| 37C28D | 3C84A49B | .text | JMP [static] | Indirect jump to absolute memory address |
| 37C47A | 140CCE53 | .text | JMP [static] | Indirect jump to absolute memory address |
| 38880F | 5F5CE787 | .text | CALL [static] | Indirect call to absolute memory address |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 6671786 | 68,2028% |
| Null Byte Code | 93814 | 0,959% |
© 2026 All rights reserved.